pageok
pageok
pageok
Amended Opinion in Forrester:
Good news for those following United States v. Forrester, the computer pen-register case; the Court very helpfully amended the opinion today to clarify that the surveillance program was installed at the ISP's connection facility rather than on the individual's personal machine. That's very good to know, for reasons I explained here. I think the opinion is clearly correct in light of it.

  I trust some readers are thinking that even if the court's decision is correct as a matter of Fourth Amendment law, the result is still troubling as a matter of policy. Pen register orders are very easy to get, and non-content Internet surveillance can be quite invasive. I think that's basically right, which is why I think the Pen Register statute needs to be amended. As I argued in this article, I think the standard for an Internet pen register order should be a showing of "specific and articulable facts" rather than a mere certification of relevance. In traditional Fourth Amendment terms, Congress should use a Terry stop standard rather than a subpoena standard. That's a question for Congress, not the courts, but I hope the Forrester case helps bring attention to the need for statutory reform.
Steve2:
As one of the readers who regards it as undesirable policy and accordingly couldn't care less whether or not it's correct as a matter of existing law (I'm less interested in seeing adherence to the law as it is than in the law as it should be, and I'd rather see "courts of justice" than "courts of law", so that a just but unlawful outcome gets preference to a lawful but unjust outcome), I appreciate your acknowledgement of the distinction in your post.
7.25.2007 3:02pm
scote (mail):

computer pen-register case; the Court very helpfully amended the opinion today to clarify that the surveillance program was installed at the ISP's connection facility rather than on the individual's personal machine.

I don't think this clarification helps individuals. If the URL capturing happened on the suspects computer there might be something they could do to make such a process more difficult. If this process is done at the ISP their only recourse is to use a secured proxy.

The idea that capturing your URL requests is like a pen register is a false one from a technical perspective because their is much more detailed information contained in URLs than there is in a phone number or physical address. This includes all of your Google search request terms, and many website logins and passwords. These are the sort of details that would be on the inside of a letter rather than on the outside.

The court's decision refers to IP addresses but it is unclear to me from the decision if the IP address they refer to is really that--just the IP address of the root server of the website he visited--or, more likely, the IP address and the subfolders, database request or login information that is often submitted as part of a web-page request.
7.25.2007 3:06pm
Crust (mail):
Steve2:
I'd rather see "courts of justice" than "courts of law", so that a just but unlawful outcome gets preference to a lawful but unjust outcome
But who determines -- and how do they do it -- what is the just outcome? Isn't a far better approach to try incrementally by democratic means to bring unjust laws in conformance with justice rather than asking judges to decide for themselves what is just, i.e. what the laws should be?
7.25.2007 3:13pm
OrinKerr:
Scote:

Footnote 6 of the opinion responds to your concerns:
Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators ("URL") of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person's Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com, whereas a technique that captures URLs would also divulge the particular articles the person viewed. See Pen Register Application, 396 F. Supp. 2d at 49 ("[I]f the user then enters a search phrase [in the Google search engine], that search phrase would appear in the URL after the first forward slash. This would reveal content . . . .").
7.25.2007 3:16pm
Crust (mail):
Only vaguely on topic, but what happened to the NSA call detail database which apparently violated the pen register provisions of FISA?

It reportedly covered the details of the domestic phone calls of hundreds of millions of Americans. The Bush administration neither confirmed nor denied its existence. It was challenged in ACLU v. NSA but the argument was rejected by the District Court judge on State Secrets grounds (a judgment that played second fiddle in press reports to the ruling that the TSP was illegal and unconstitutional). Since then, I haven't seen any follow up in the press or even the blogosphere.
7.25.2007 3:24pm
Justin (mail):
I wrote a longer post, but deleted it after further thought. I am okay with this decision to the extent that a federal pen register can only "to/from addresses of his email messages, the Internet protocol ("IP") addresses of the websites that he visited and the total volume of information transmitted to or from his account. As to the second one of those three, I am seriously concerned about the privacy implications, and disagree with normatively, but Smith v. Maryland is still good law and binding upon Judge Fisher. However, you had indicated in a previous post that this factual assertion is not correct (in theory, if not in practice in that case). If not, I still have a number of objections based on what would be an overextention of Smith v. Maryland.
7.25.2007 3:27pm
Crust (mail):
PS I should have used the present tense above re "the NSA call detail database which apparently violate[s] the pen register provisions of FISA". There's no reason to suppose the Bush administration has stopped this program (assuming the reporting by USA Today and others was correct and there indeed is such a program).
7.25.2007 4:09pm
Ned Ulbricht (mail):
I trust some readers are thinking that even if the court's decision is correct as a matter of Fourth Amendment law, the result is still troubling as a matter of policy.


I agree that the patch to the court's opinion is very welcome.

As a matter of my own over-riding policy, I'm much happier to have been wrong about some of the facts in this case, and to have been wrong about the correct interpretation of the Ninth Circuit's original opinion, than I would have been to let such a potentially outrageous precedent go without comment.

Further, just in case anyone was offended by my earlier characterization regarding the mental state of three distinguished judges, then I apologize.

But, I'm still not entirely convinced that the updated opinion is correct as a matter of Fourth amendment law.

As the Ninth Circuit noted (p.9060), Justice Blackmun's opinion in Smith v Maryland rested on the basis:
Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.


I'd agree that internet users obtaining internet protocol (IPv4) service from an internet service provider (ISP) should be charged with the knowledge that an IPv4 packet header conveyed to an IPv4 router must be interpreted by that router. The router needs to examine—at the very least—the IP protocol field (check for v4) and the destination IP address.

But IPv4 routers don't handle mail at the (E)SMTP level. And there's no general requirement that an internet user must use the same provider for IPv4 service and e-mail service.

Further, various IP-over-IP tunneling protocols are in common use today. And, as the Internet transitions to IPv6, more tunneling will be necessary. An IPv4 router only needs to examine the outermost IPv4 packet header. Everything else is content.

An order authorizing the collection of information equivalent to a POTS pen register trap/trace, by means of a mirror port on a layer 3 switch ("routing switch") or on a router, should only cover the outermost IP packet header. Otherwise, you're stretching the basic facts of Smith beyond reasonable recognition.
7.25.2007 4:58pm
OrinKerr:
Interesting, Ned, thanks.
7.25.2007 5:31pm
Andy Freeman (mail):
There isn't a one to one relationship between IP addresses and servers, websites, what have you. Even if we add port numbers, things don't improve much.
7.26.2007 1:05pm
Ned Ulbricht (mail):
Even if we add port numbers, things don't improve much.


Andy,

I'd agree that ATM is cell-switched.

But, although Smith was decided after the development of SS7, and despite the recent rise in popularity of VoIP, I believe that even today most Americans still use in-band DTMF ("Touch-Tone") to convey phone numbers to their telco over dedicated wires.

Suppose I call your home number, and the conversation goes something like this:

Voice 286: Hello.
Ned: Hi, is Andy there?
Voice 286: Let me see. ...[pause]... He's sleeping. Can I take a message?
Ned: Yeah, I bet he's tired. Listen, when he wakes up, could you tell him that Ned called. Ask him if he's able to ssh into 365 Main. Tell him to call Orin if he has problems getting in.
Voice 286: Ess Ess Aitch?
Ned: Yeah. If Andy has any problems secure shelling into 365 Main, he should call Orin. Kay?
Voice 286:Okay.
Ned: Thanks, bye.
Voice 286: Goodbye.
[Disconnect]

How much of that conversation should be interceptable under the authority of a pen register trap/trace order?
7.26.2007 5:09pm
Royatrytabs (mail) (www):
Hi all!
Find a real sex partner for [url=http://realpartner.bravehost.com/]tonight[/url]
http://realpartner.bravehost.com
Good luck
7.31.2007 10:17pm
Royatrytabs (mail) (www):
Hi all!
Find a real sex partner for [url=http://realpartner.bravehost.com/]tonight[/url]
http://realpartner.bravehost.com
G'night )))
7.31.2007 10:18pm